Network address allocation using a user identity

ABSTRACT

The apparatuses and methods described herein may generate an identifier associated with a user identity responsive to detecting access to a network by a node associated with the user identity. The node may be assigned a temporary network address. The identifier associated with the user identity may be sent to the node. At least one permanent network address may be allocated to the node as a replacement for the temporary network address responsive to receiving an allocation request including the identifier from the node. The at least one permanent network address may be selected from one or more permanent network addresses previously assigned to the user identity.

CROSS REFERENCE TO RELATED APPLICATION

The present application is a continuation of U.S. patent applicationSer. No. 12/604,714, entitled “NETWORK ADDRESS ALLOCATION USING A USERIDENTITY,” filed on Oct. 23, 2009, which is incorporated herein byreference in its entirety.

BACKGROUND

Currently, Internet Protocol (IP) addresses are assigned randomly, orbased on a host computer address. Thus, with some organizations havinghundreds or thousands of computers using the Dynamic Host ConfigurationProtocol (DHCP) for dynamic IP allocation, network administrators mayfind it onerous to track and control the network address usage ofvarious users. It may also be difficult to assign special privileges toclients in the network based on their role in the organization, forexample, since many firewalls operate using IP address-based rules.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram illustrating methods of network addressallocation according to various embodiments of the invention.

FIG. 2 is a flow diagram illustrating additional methods of networkaddress allocation according to various embodiments of the invention.

FIG. 3 is a block diagram of apparatus and systems according to variousembodiments of the invention.

FIG. 4 is a block diagram of an article of manufacture, including aspecific machine, according to various embodiments of the invention.

DETAILED DESCRIPTION

In various embodiments, apparatus, systems, and methods that supportnetwork address allocation are provided. For example, in someembodiments, an identifier associated with a user identity may begenerated responsive to detecting access to a network by a nodeassociated with the user identity. The node may be assigned a temporarynetwork address. The identifier associated with the user identity may besent to the node. At least one permanent network address may beallocated to the node as a replacement for the temporary network addressresponsive to receiving an allocation request including the identifierfrom the node. The at least one permanent network address may beselected from one or more permanent network addresses previouslyassigned to the user identity. Additional embodiments are described, andalong with the foregoing examples, will be set forth in detail below.

To address some of the challenges described above, in variousembodiments, when user accounts are created by a directory service (DS),a unique set of IP addresses is also assigned to them. Thereafter, whena user logs in to a client computer, the DS reassigns any one of thegiven IP addresses to the client computer that matches its networksub-network. This is done with the help of a DHCP server. For example,assume that a user has been assigned three permanent IP addresses asshown in Table I below when the user account is created in the DS. Inthis case, the user has been given two IP addresses for the 192.168.0.0sub-network and one IP address for the 192.168.1.0 sub-network.

TABLE I IP Address NETWORK SUBNET 192.168.0.50 192.168.0.0 192.168.0.51192.168.0.0 192.168.1.50 192.168.1.0

When the user acts to log-in to a client computer in the 192.168.0.0sub-network, it turns out that the client computer has already beenassigned a temporary IP address by a DHCP server in the network. Thistemporary IP address can be used to log-in to the client computer (e.g.,via DS logging). When the log-in action is authorized by the DS, aprocess which runs along with the authentication service (e.g., theNovell® NMAS (Novell Modular Authentication Service) directory service)can operate to create a user identifier that is associated by the DSwith a list of IP addresses, such as the list shown in Table I, so thatthe list can later be fetched by a DHCP server.

Therefore, when the client computer runs the startup task (e.g., Novell®Client™ workstation software application), the task can operate to senda message, such as a DHCPRelease message, to release the assignedtemporary IP address. The task may then operate to send a DHSPRequestmessage, along with the client identifier (obtained from the DS), toobtain one of the permanent IP addresses shown in Table I.

The DHCP server can process the client identifier to fetch the permanentIP address from the DS that matches the network address of the clientcomputer. After the DHCP server fetches the list from the DS, if amatching IP address is found for the client, the DHCP server can send aDHCPACK message to the client machine. When the user of the clientcomputer logs out, the permanent IP address is released, and the DHCPserver again assigns a temporary IP address to the client computer.

In some embodiments, the DHCP server is configured to use theLightweight Directory Access Protocol (LDAP), where client configurationinformation is stored in the DS. In this case, the DHCP server can readconfiguration information dynamically from any DS operating according toan x.500 standard.

Thus, in some embodiments, the permanent IP addresses allocated to auser identity (e.g., similar to or identical to the addresses shown inTable I) can be stored in the DS and associated with the identity of aparticular user. For example, the addresses assigned via Table I can beincluded in configuration information that is made available in adirectory on the DS for “user1”, as follows:

host1 { //The name is independent of the configuration ...dhcp-client-identifier “user1”; fixed-address 192.168.0.0, 192.168.1.0;}

When the DS authentication process operates to verify the identity ofthe user, a user identifier can be assigned, perhaps as a random numbercomprising a series of hexadecimal digits. For example, the randomnumber can be added to the dhcp-client-identifier variable above, toprovide the identifier “user1XyaZ . . . ”. This modified value is thenmade available to the user as a unique identifier that is associatedwith the authenticated user identity (e.g., via log-in activity).

The resulting random identifier that is delivered to the client computeris useful to prevent other entities from stealing permanently assignedIP addresses by making a false claim to the user identity withoutauthentication. Thus, each request for a permanent IP address should beaccompanied by a different, random identifier—so that a DHCP requestthat includes only a username will be rejected. Only requests to replacea temporary IP address that have the correct username and the randomnumber generated by the DS will be accepted by the DHCP server. In thisway, the DHCP server has some assurance that the correct person isrequesting the permanently assigned IP address. Thus, in this example,the client computer can operate to send a DHCPRequest message with thegenerated string “user1XyaZ . . . ” as the client identifier to the DHCPserver.

The DHCP server in turn can then operate to dynamically query the DS forthe dhcp-client-identifier variable matching this string, so that anyone or more of the permanent IP addresses can be delivered to the DHCPserver, perhaps in the form of a list of addresses, with the leaseinformation stored in a lease database.

In summary, the process may occur as follows. The client computer isauthenticated to the DS, using log-in information supplied by a user,and the DS in turn generates and assigns a unique identifier to the DHCPconfiguration for that user identity, and sends the resulting identifierinformation to the client computer. As part of this process, the clientcomputer can send a DHCPRelease message to the DHCP server to releasethe temporary IP address that was used for log-in activity. The clientcomputer can then send a DHCPRequest message to the DHCP server torequest a permanent IP address, in conjunction with the identifier ithas received from the DS.

The DHCP server then can operate to query the DS, using the identifierit has obtained from the client computer, to determine one or morepermanent IP addresses that have been previously assigned to the useridentity that is now associated with the client computer. In response,the DS can return an IP address mapping list to the DHCP server.

The DHCP server can then select one of the permanent IP addressesreturned by the DS, and allocate this address to the client computer.The DHCP server can store the lease information for the allocatedaddress, so that no other DHCP server generates a conflict by allocatingthe same IP address to another entity at the same time.

Thus, many embodiments of the invention may be realized, and each can beimplemented in a variety of architectural platforms, along with variousoperating and server systems, devices, and applications. Any particulararchitectural layout or implementation presented herein is thereforeprovided for purposes of illustration and comprehension only, and is notintended to limit the various embodiments.

FIG. 1 is a flow diagram illustrating methods 111 of network addressallocation according to various embodiments of the invention. In someembodiments, as viewed from the perspective of the DS, one or morepermanent addresses are assigned to a user identity, and when that useridentity attempts to access the network using a temporary address, aunique user identifier is generated. This identifier is sent to theaccessing node so that one of the permanent addresses can be requestedas a replacement for the temporary address.

For the purposes of this document, a “permanent” IP address is one thathas been pre-assigned to a particular user identity (e.g., defined by aset of log-in credentials), and which is used to replace a temporary IPaddress in various embodiments of the invention. Thus, a permanent IPaddress is one that is intended to be associated with a particular user,regardless of the node used to log-in to a network. The permanent IPaddress may not be allocated unless the identity of the user is known tothe DS.

A “temporary” IP address is one that is assigned to a node, rather thana user identity, and normally enables any user that operates the node tolog-in to a network if valid log-in credentials are supplied. Thetemporary IP address is not assigned to any particular user identity,and can be assigned to a node with no knowledge of the associated useridentity.

The methods 111 are implemented in a machine-accessible and readablemedium and are operational over processes within and among networks. Thenetworks may be wired, wireless, or a combination of wired and wireless.The methods 111 may be implemented as instructions, which when accessedby a specific machine, perform the processing depicted in FIG. 1. Giventhis context, network address allocation is now discussed with referenceto FIG. 1.

In some embodiments, a processor-implemented method 111 that can beexecuted on one or more processors that perform the method may operateto allocate network addresses by assigning one or more permanent networkaddresses to a user identity at block 121. The method 111 may go on toblock 133 with detecting access to a network by a node associated withthe user identity. The method 111 may operate in a loop at block 133,waiting until a valid network access attempt by a client computerassociated with the user identity is detected.

A DS can detect valid attempts to access the network associated with theuser identity by authenticating the user identity, perhaps via log-incredentials, such as a username/password, or a fingerprint, among othermechanisms. Thus, the activity at block 133 may comprise authenticatingthe user identity, and authenticating may in turn comprise determiningthat log-in credentials received from a particular node are associatedwith a known user identity.

Once an access attempt associated with a particular user identify hasbeen detected, the method 111 may continue on to block 137 withgenerating an identifier associated with the user identity. Theidentifier is one that may be randomly generated by the DS. Thus, theactivity at block 137 may comprise generating the identifier as a randomidentifier.

The method 111 may continue on to block 141 with sending the identifierto the node, to enable the node to obtain replacement of a temporarynetwork address (allocated to the node) with the permanent networkaddress.

Once the address management server (e.g., a DHCP server) gets theaddress replacement request from the node, the server can send a queryto the DS to obtain the corresponding address mapping list. Thus, themethod 111 may continue on to block 145 with receiving an addressmapping request from an address management server, the request includingthe identifier.

Once the DHCP server sends the query with the identifier to the DS, theDS can respond with a list of addresses that have been permanentlyassigned to the user identity. Thus, the method 111 may continue on toblock 149 with sending an address mapping list including one or morepermanent network addresses to an address management server in responseto receiving a request from the address management server, the requestincluding the identifier.

As noted previously, a DS can be used as a repository for the lists ofpermanent addresses that have been assigned to various user identities.Thus, the activity at block 149 may comprise sending the address mappinglist from a DS. Other embodiments may be realized.

For example, FIG. 2 is a flow diagram illustrating additional methods211 of network address allocation according to various embodiments ofthe invention. In this case, the methods 211 operate from theperspective of the address management server (e.g., a DHCP server),where a temporary address release request is received from a node, andthen an allocation request for a previously-assigned permanent networkaddress is received from the same node, identified by an identifierunique to the node and the user identity. The permanent address is thenallocated to the node, based on the user identity and the identifier.

The methods 211 are implemented in a machine-accessible and readablemedium, and are operational over processes within and among networks.The networks may be wired, wireless, or a combination of wired andwireless. The methods 211 may be implemented as instructions, which whenaccessed by a specific machine, perform the processing depicted in FIG.2.

Thus, in some embodiments, a processor-implemented method 211 that canbe executed on one or more processors that perform the method may beginwith waiting at block 221 to receive a release request from a node torelease a temporary network address allocated to the node, wherein thenode is associated with a user identity.

Once the request is received, the method 211 may continue on to block225 with receiving an allocation request from the node to allocate apermanent network address previously assigned to the user identity,wherein the request includes an identifier generated in association withthe node and the user identity. The node may send its allocation requestto a DHCP server. Thus, the activity at block 225 may comprise receivingthe allocation request at a DHCP server.

The identifier is one that may be randomly generated by a DS. Thus, theactivity at block 225 may comprise receiving the allocation requestincluding the identifier comprising a randomly-generated identifiergenerated by a DS.

Nodes may take the form of physical or virtual machines. Thus, theactivity at block 225 may comprise receiving the allocation request froma virtual machine, a physical machine, or a combination of these.

The DHCP server can request previously-determined, permanent addressassignment information from a DS, based on the identifier that has beentemporarily associated with the node and the user identity. Thus, themethod 211 may continue on to block 229 with transmitting an addressmapping request to a DS, the request including the identifier.

The DS can operate to send the DHCP server one or more addresses,perhaps in the form of a list, that have been permanently assigned tothe user identity, based on the identifier. Thus, the method 211 maycontinue on to block 233 to include receiving an address mapping listincluding one or more permanent network addresses, from a DS. Theaddress mapping list may comprise multiple permanently-assigned networkaddresses associated with the user identity.

The method 211 may continue on to block 237 with allocating one of thepermanent network addresses to the node as a replacement for thetemporary network address. The permanent addresses may be assigned orallocated to a specific user identity by a network administrator via theDS.

The methods described herein do not have to be executed in the orderdescribed, or in any particular order. Moreover, various activitiesdescribed with respect to the methods identified herein can be executedin repetitive, serial, or parallel fashion. The individual activities ofthe methods shown in FIGS. 1 and 2 can also be combined with each otherand/or substituted, one for another, in various ways. Information,including parameters, commands, operands, and other data, can be sentand received in the form of one or more carrier waves. Thus, many otherembodiments may be realized.

The methods of network address allocation shown in FIGS. 1 and 2 can beimplemented in various devices, as well as in a computer-readablestorage medium, where the methods are adapted to be executed by one ormore processors. Further details of such embodiments will now bedescribed.

FIG. 3 is a block diagram of apparatus 300 and systems 360 according tovarious embodiments of the invention. Here it can be seen that anapparatus 300 used to implement network address allocation may compriseone or more processing nodes 302, one or more processors 320, memory322, a transmission module 326, a generator processor 328, and a display342. The display 342 may be used to display a menu of permanentaddresses 332 that are currently allocated to a particular useridentity. The apparatus 300 may comprise a server, a client, or someother networked processing node.

The processing nodes 302 may comprise physical machines or virtualmachines, or a mixture of both. The nodes 302 may also comprisenetworked entities, such servers and/or clients. In someimplementations, the operations described can occur entirely within asingle node 302.

In some embodiments, a system 360 that operates to implement networkaddress allocation may comprise multiple instances of an apparatus 300.The system 360 might also comprise a cluster of nodes 302, includingphysical and virtual nodes. It should be noted that any one of the nodes302 may include any one or more of the elements explicitly shown innodes NODE_1, . . . , NODE_N.

In some embodiments then, a system 360 can operate using multiple nodes:one node (e.g., NODE_1) operating as a DS, another operating as a client(e.g., NODE_2), and still another (e.g., NODE_N) as a DHCP server. Thestorage of permanently allocated addresses 332, perhaps in the forms oflists 340, may occur in yet another node (e.g., NODE_3), completelyapart from the DS, client, and DHCP nodes NODE_1, NODE_2, and NODE_N, insome embodiments.

Thus, in some embodiments, a system 360 comprises a first node (e.g.,NODE_1) that provides unique identifiers 338 that enable a second node(e.g., NODE_2) to replace temporary addresses TMPADD with permanent onesPERMADD that are associated with a particular user identity.

A system 360 may also comprise a first node (e.g., NODE_1) to access astorage unit 354 or memory 322 to store a plurality of mapping lists340, at least one of the plurality of mapping lists 340 including one ormore permanent network addresses 332 assigned to a user identity. Thesystem 360 may further comprise a generator module 328 to generate anidentifier 338 associated with the user identity when access to anetwork 316 by a second node (e.g., NODE_2) associated with the useridentity is detected. The system 360 may comprise, in addition, atransmission module 326 to send the identifier 338 to the second node(e.g., NODE_2) to enable the second node to obtain replacement of atemporary network address TMPADD allocated to the second node with oneof the permanent network addresses 332.

The first node (e.g., NODE_1) may comprise a DS server. The device usedto store the mapping lists 340 can be separated from the first node, andthus, the system 360 may further comprise the storage unit 354 housed ina third node (e.g., NODE_3). Still further embodiments may be realized.

In some embodiments, a system 360 comprises a first node that providesaddress allocation to a second (client) node, to replace a temporaryaddress held by the second node with a permanent address associated witha particular user identity. Thus, a system 360 may comprise a first node(e.g., NODE_N) to receive a release request 344 from a second node(e.g., NODE_2) to release a temporary network address TMPADD allocatedto the second node, wherein the second node is associated with a useridentity. The first node may further operate to receive an allocationrequest 346 from the second node to allocate a permanent network addressPERMADD previously assigned to the user identity, wherein the allocationrequest 346 includes an identifier 338 generated in association with thesecond node and the user identity. The system 360 may further include anallocation module 356 to allocate the permanent network address PERMADDto the second node as a replacement for the temporary network addressTMPADD.

The system 360 may include a DHCP server to provide the services of thefirst node (e.g., NODE_N). Thus, the first node may comprise a DHCPserver. The system 360 may include a DS as part of another node. Thus,the system 360 may comprise a third node (e.g., NODE_1) to couple to thefirst node and to provide a directory service to assign the permanentnetwork address PERMADD to the user identity.

The nodes 302 may exist as a device embedded within another structure(e.g., as an embedded device), or as a desktop or laptop computer thatincludes a display 342 to show the activities conducted while the node302 is active. Thus, the system 360 may also comprise a display 342coupled to the nodes 302 to display visible indications of theactivities conducted at the nodes 302.

The apparatus 300 and system 360 may be implemented in amachine-accessible and readable medium that is operational over one ormore networks 316. The networks 316 may be wired, wireless, or acombination of wired and wireless. The apparatus 300 and system 360 canbe used to implement, among other things, the processing associated withthe methods 111 and 211 of FIGS. 1 and 2, respectively. Modules maycomprise hardware, software, and firmware, or any combination of these.Additional embodiments may be realized.

For example, FIG. 4 is a block diagram of an article 400 of manufacture,including a specific machine 402, according to various embodiments ofthe invention. Upon reading and comprehending the content of thisdisclosure, one of ordinary skill in the art will understand the mannerin which a software program can be launched from a computer-readablemedium in a computer-based system to execute the functions defined inthe software program.

One of ordinary skill in the art will further understand the variousprogramming languages that may be employed to create one or moresoftware programs designed to implement and perform the methodsdisclosed herein. The programs may be structured in an object-orientatedformat using an object-oriented language such as Java or C++.Alternatively, the programs can be structured in a procedure-orientatedformat using a procedural language, such as assembly or C. The softwarecomponents may communicate using any of a number of mechanisms wellknown to those of ordinary skill in the art, such as application programinterfaces or interprocess communication techniques, including remoteprocedure calls. The teachings of various embodiments are not limited toany particular programming language or environment. Thus, otherembodiments may be realized.

For example, an article 400 of manufacture, such as a computer, a memorysystem, a magnetic or optical disk, some other storage device, and/orany type of electronic device or system may include one or moreprocessors 404 coupled to a machine-readable medium 408 such as a memory(e.g., removable storage media, as well as any memory including anelectrical, optical, or electromagnetic conductor) having instructions412 stored thereon (e.g., computer program instructions), which whenexecuted by the one or more processors 404 result in the machine 402performing any of the actions described with respect to the methodsabove.

The machine 402 may take the form of a specific computer system having aprocessor 404 coupled to a number of components directly, and/or using abus 416. Thus, the machine 402 may be similar to or identical to theapparatus 300 or system 360 shown in FIG. 3.

Turning now to FIG. 4, it can be seen that the components of the machine402 may include main memory 420, static or non-volatile memory 424, andmass storage 406. Other components coupled to the processor 404 mayinclude an input device 432, such as a keyboard, or a cursor controldevice 436, such as a mouse. An output device 428, such as a videodisplay, may be located apart from the machine 402 (as shown), or madeas an integral part of the machine 402.

A network interface device 440 to couple the processor 404 and othercomponents to a network 444 may also be coupled to the bus 416. Theinstructions 412 may be transmitted or received over the network 444 viathe network interface device 440 utilizing any one of a number ofwell-known transfer protocols (e.g., HyperText Transfer Protocol). Anyof these elements coupled to the bus 416 may be absent, present singly,or present in plural numbers, depending on the specific embodiment to berealized.

The processor 404, the memories 420, 424, and the storage device 406 mayeach include instructions 412 which, when executed, cause the machine402 to perform any one or more of the methods described herein. In someembodiments, the machine 402 operates as a standalone device or may beconnected (e.g., networked) to other machines. In a networkedenvironment, the machine 402 may operate in the capacity of a server ora client machine in server-client network environment, or as a peermachine in a peer-to-peer (or distributed) network environment.

The machine 402 may comprise a personal computer (PC), a tablet PC, aset-top box (STB), a PDA, a notebook computer, a cellular telephone, aweb appliance, a network router, switch or bridge, server, client, orany specific machine capable of executing a set of instructions(sequential or otherwise) that direct actions to be taken by thatmachine to implement the methods and functions described herein.Further, while only a single machine 402 is illustrated, the term“machine” shall also be taken to include any collection of machines thatindividually or jointly execute a set (or multiple sets) of instructionsto perform any one or more of the methodologies discussed herein.

While the machine-readable medium 408 is shown as a single medium, theterm “machine-readable medium” should be taken to include a singlemedium or multiple media (e.g., a centralized or distributed database,and/or associated caches and servers, and or a variety of storage media,such as the registers of the processor 404, memories 420, 424, and thestorage device 406 that store the one or more sets of instructions 412.The term “machine-readable medium” shall also be taken to include anymedium that is capable of storing, encoding or carrying a set ofinstructions for execution by the machine and that cause the machine 402to perform any one or more of the methodologies of the presentinvention, or that is capable of storing, encoding or carrying datastructures utilized by or associated with such a set of instructions.The terms “machine-readable medium” or “computer-readable medium” shallaccordingly be taken to include tangible media, such as solid-statememories and optical and magnetic media.

Various embodiments may be implemented as a stand-alone application(e.g., without any network capabilities), a client-server application ora peer-to-peer (or distributed) application. Embodiments may also, forexample, be deployed by Software-as-a-Service (SaaS), an ApplicationService Provider (ASP), or utility computing providers, in addition tobeing sold or licensed via traditional channels.

Implementing the apparatus, systems, and methods described herein mayoperate to pre-allocate a set of IP addresses to users when useraccounts are created by a DS. This assignment of permanent IP addressesto specific user identities can make it much easier for networkadministrators to monitor and control the activity of users within anetwork. Further, the mechanisms described herein can make it possiblefor individual users to receive the same IP address whenever they log into a particular network, regardless of the device used to gain access.More efficient allocation of processing resources, and increased usersatisfaction, may result.

This Detailed Description is illustrative, and not restrictive. Manyother embodiments will be apparent to those of ordinary skill in the artupon reviewing this disclosure. The scope of embodiments shouldtherefore be determined with reference to the appended claims, alongwith the full scope of equivalents to which such claims are entitled.

The Abstract of the Disclosure is provided to comply with 37 C.F.R.§1.72(b) and will allow the reader to quickly ascertain the nature ofthe technical disclosure. It is submitted with the understanding that itwill not be used to interpret or limit the scope or meaning of theclaims.

In this Detailed Description of various embodiments, a number offeatures are grouped together in a single embodiment for the purpose ofstreamlining the disclosure. This method of disclosure is not to beinterpreted as an implication that the claimed embodiments have morefeatures than are expressly recited in each claim. Rather, as thefollowing claims reflect, inventive subject matter lies in less than allfeatures of a single disclosed embodiment. Thus the following claims arehereby incorporated into the Detailed Description, with each claimstanding on its own as a separate embodiment.

1. An apparatus comprising: memory to store one or more permanentnetwork addresses assigned to a user identity; and one or moreprocessors to execute an allocation module, the allocation moduleconfigured to: generate an identifier associated with the user identityresponsive to detecting access to a network by a node associated withthe user identity, the node being assigned a temporary network address;send the identifier associated with the user identity to the node; andallocate at least one permanent network address of the one or morepermanent network addresses to the node as a replacement for thetemporary network address responsive to receiving an allocation requestincluding the identifier from the node.
 2. The apparatus of claim 1,wherein the allocation module is configured to: receive a releaserequest from the node to release the temporary network address.
 3. Theapparatus of claim 1, wherein the allocation module is configured to:assign the at least one permanent network address to another noderesponsive to detecting that a user associated with the user identitymoves from the node and logs on to the other node.
 4. The apparatus ofclaim 1, wherein the allocation module is configured to: assign the oneor more permanent network addresses to the user identity responsive toreceiving an indication that a user account associated with the useridentity has been created.
 5. The apparatus of claim 1, wherein theallocation module is configured to: select the one or more permanentnetwork addresses from a plurality of network addresses associated witha same subnet of the network.
 6. The apparatus of claim 1, wherein theone or more permanent network addresses comprise a first permanentnetwork address and a second permanent network address, and wherein theallocation module is configured to: select an address associated with afirst subnet of the network as the first permanent network address, andan address associated with a second subnet of the network as the secondpermanent network address.
 7. The apparatus of claim 1, wherein theallocation module is configured to: generate the identifier responsiveto receiving an indication that the user identity has beenauthenticated.
 8. The apparatus of claim 1, wherein the identifiercomprises a random identifier, wherein the allocating module isconfigured to: select a different random identifier for each permanentnetwork address request.
 9. The apparatus of claim 1, wherein theapparatus comprises a Dynamic Host Configuration Protocol (DHCP) server.10. The apparatus of claim 1, wherein the apparatus comprises adirectory service server.
 11. A method comprising: generating, using oneor more processors, an identifier associated with a user identityresponsive to detecting access to a network by a node associated withthe user identity, the node being assigned a temporary network address;sending the identifier associated with the user identity to the node;and allocating at least one permanent network address to the node as areplacement for the temporary network address responsive to receiving anallocation request including the identifier from the node, the at leastone permanent network address selected from one or more permanentnetwork addresses previously assigned to the user identity.
 12. Themethod of claim 11, wherein the detecting comprises: authenticating theuser identity.
 13. The method of claim 12, wherein the authenticatingcomprises: determining that log-in credentials received from the nodeare associated with the user identity.
 14. The method of claim 11,further comprising: assigning the one or more permanent networkaddresses to the user identity responsive to identifying that a useraccount associated with the user identity has been created by adirectory service.
 15. The method of claim 11, further comprising:receiving an address mapping list, including the one or more permanentnetwork addresses, from a directory service.
 16. The method of claim 15,further comprising: transmitting a request for the address mapping listto the directory service, the request including the identifier.
 17. Themethod of claim 11, wherein the allocating of the at least one permanentnetwork address comprises: receiving a release request from the node torelease the temporary network address.
 18. The method of claim 11,wherein the allocating of the at least one permanent network addresscomprises: refraining from allocating the at least one permanent networkaddress to the node responsive to determining that a subnet address ofthe at least one permanent network address does not match a subnet ofthe network accessed by the node.
 19. The method of claim 11, whereinthe node comprises one of a physical machine or a virtual machine.
 20. Anon-transitory computer-readable storage device storing instructionswhich, when executed by one or more processors, cause the one or moreprocessors to perform operations comprising: generating an identifierassociated with a user identity responsive to detecting access to anetwork by a node associated with the user identity, the node beingassigned a temporary network address; sending the identifier associatedwith the user identity to the node; and allocating at least onepermanent network address to the node as a replacement for the temporarynetwork address responsive to receiving an allocation request includingthe identifier from the node, the at least one permanent network addressselected from one or more permanent network addresses previouslyassigned to the user identity.